Network security authentication method

ABSTRACT

The present invention discloses a authentication method for network security, comprising: firstly, a media gateway controller (MGC) configures a media gateway (MG) with an authentication key and sets a security data package on a network protocol; thus, during the security authentication, the MGC utilizes the security data package to send security authentication request data to the MG; the MG performs an encryption calculation on the request data with the authentication key, and respond to MGC with the encrypted request data; the MGC determines whether the MG being authenticated is legal according to the authenticated result. Said method can prevent illegal or forged devices from accessing to a network; in addition, because that the authentication of MG is performed under the control of MGC, the method is featured with authentication randomness and thereby has higher security authentication efficiency.

FIELD OF THE INVENTION

The present invention relates to an authentication method for networksecurity.

BACKGROUND OF THE INVENTION

In the Next Generation Network (NGN), there are many Media Gateways(MGs) based on Media Gateway Control Protocol (MGCP) or H248 protocol(another Media Gateway Control Protocol, i.e., MeGaCo); these numerousMGs are distributed in enterprises or residences widely, and arefeatured with covering a wide range, having a great quantity, and beingbased on dynamic IPs. However, because there being no securityauthentication mechanism on the application layer of MGCP protocol inthe current NGN, the MGs using MGCP protocol are poor in security;though H248 protocol has security authentication mechanism on theapplication layer, i.e., a security header can be added into eachtransaction request message of H248 protocol, and the securityauthentication result can be returned in the transaction responsemessage, but the security authentication mechanism requires exchanging alarge amount of H248 messages between MGC and MG, resulting inincreasing about 40% time for processing of encoding and decoding H248messages; thus a security authentication solution provided byconventional H248 protocol severely degrades efficiency of the networksystem and its feasibility in actual application is poor. Therefore, theproblems of system security in the NGN, such as forging MG or attackingto MGC are yet not solved.

SUMMARY OF THE INVENTION

An object of the present invention is to provide an effectiveauthentication method for the NGN security.

To attain said object, the authentication method for network securityaccording to the present invention comprises:

step 1: a Media Gateway Controller (MGC) configuring a Media Gateway(MG) with an authentication key, and setting a security data package ona network protocol;

step 2: the MGC, during the security authentication, sending securityauthentication request data to the MG using the data package; the MGperforming an encryption calculation on the request data using theauthentication key, and responding to MGC with the encrypted requestdata;

step 3: the MGC determining whether the MG being authenticated is legalaccording to the authentication result.

Said network protocol is Media Gateway Control Protocol (MGCP) or H248protocol.

Said data package comprises: a security authentication request signaland a security authentication completion event; said securityauthentication request signal comprises a security authenticationparameter; said security authentication completion event comprises asecurity authentication result parameter.

Said step 2 further comprises:

step 21: the MGC sending the security authentication request signal inthe data package to the MG;

step 22: the MG, after receiving the security authentication parameterin the security authentication request signal, performing encryptioncalculation on said parameter using the authentication key, andreporting the encryption calculated result to the MGC through thesecurity authentication result parameter in the security authenticationcompletion event in the data package.

Since the present invention uses a MGC to configure a MG with anauthentication key and sets a network protocol security data package forsecurity authentication of MG, it can prevent network access fromillegal or forged devices; in addition, since the authentication of MGis performed under the control of MGC, (in other words, theauthentication of MG is performed whenever the MGC considersauthentication to be necessary), this kind of authentication has acharacteristic of randomness and higher security authenticationefficiency.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Hereunder the present invention will be further described in detail.

The method according to the present invention is for implementingsecurity management of MGs, which in substance comprising: configuringeach MG with an authentication key; when initiating an authenticationrequest, a MGC sends a random number to the MG; the MG, according to therandom number sent from the MGC and the authentication key configuredfor the MG (of course, other information may also be included), performsan encryption calculation, and responds to the MGC with the encryptedresult. The MGC performs the same calculation to determine whether theencrypted result is identical to that sent from the MG. If not, the MGCwill consider the MG as illegal.

The present invention may be implemented based on H248 protocol or MGCPprotocol, thus a security data package on MGCP or H248 protocol needs tobe added; said security data package is a collection of a securityauthentication signal and an event. The security authentication packageon MGCP or H248 protocol employed by the present invention comprises asecurity authentication request signal and a security authenticationcompletion event. Said security authentication request signal comprisesa security authentication parameter. Said security authenticationcompletion event comprises a security authentication result parameter.When the MGC is to perform security authentication of the MG, the MGCsends a security authentication request signal to the MG, and at thesame time detects the security authentication completion event from theMG. When the MG receives the security authentication request signal sentfrom the MGC, it performs an encryption calculation in accordance withthe authentication key configured thereon and the parameter in thesecurity authentication request signal. Upon completion of theencryption calculation, the MG reports the security authenticationcompletion event to the MGC, with the security encryption resultincluded in the parameter of the security authentication completionevent. When the MGC receives the security authentication completionevent from the MG, it compares the encryption calculated result includedin the parameter of the reported security authentication completionevent with the encryption calculated result calculated by itself,determining whether they are identical or not. If not, the MGC willconsider the MG as illegal.

Hereunder the above procedures of the present invention are illustrated:

The security data package on MGCP protocol implemented with MGCPprotocol as described in the present invention comprises:

Package identifier: Auth; version of data package: 1;

Event included in the data package:

1. Security authentication completion event

Event Identifier: authoc;

Event detection parameter identifier: 32*64 (a hexadecimal number);

Note: the event detection parameter is used to return the authenticatedresult;

Signal included in the data Package:

1: Security authentication request signal

Signal identifier: authreq;

Signal parameter identifier: 32*64 (a hexadecimal number, 32 to 64bits);

The parameter in the security authentication request signal is a randomnumber sent from the MGC to the MG. In this example, the random numberis a string, which is longer than 16 bits and shorter than 32 bits. Eachstring is encoded into 2 hexadecimal numbers through ABNF (AugmentedBackus-Naur Form) encoding.

The authentication process based on above data package and thepseudo-codes used are:

Step 11: the MGC initiates an authentication request to the MG: the MGCsends a Request Notification (RQNT) command to the MG and allocatesTransaction Identifier (100) and Request Identifier (123), to requestthe MG to detect the security authentication completion event(auth/authoc); at the same time, it sends a security authenticationrequest signal (auth/authreq), the MGC generates a 16-byte random number(0×78 0×90 0×ab 0×cd 0×ef 0×56 0×78 0×90 0×00 0×22 0×00 0×22 0×00 0×220×00 0×32) as the security authentication parameter of the securityauthentication request signal.

Step 12: when receiving the Request Notification (RQNT) command sentfrom the MGC, the MG returns a correct response to this command (theresponse code being correct response (200) with the TransactionIdentifier (100) identical to that in the Request Notification (RQNT)command sent from the MGC, to acknowledge the MG has received theRequest Notification (RQNT) command from the MGC correctly.

Step 13: When detecting a security authentication request signal afterit receives the Request Notification (RQNT) command from the MGC, the MGbegins to perform a security authentication calculation, i.e.,performing an encryption calculation with the parameter taken out fromthe security authentication request signal and the authentication keyconfigured thereon (the authentication key being assumed as 0×12 0×240×56 0×78 0×56 0×32 0×78 0×23 0×24 0×25 0×76 0×32 0×32 0×45 0×45 0×32).The result obtained through the encryption calculation is (0×12 0×340×ab 0×cd 0×ef 0×ab 0×ef 0×90 0×00 0×22 0×00 0×22 0×67 0×89 0×77 0×88),the MG generates a security authentication completion event and checkswhether the MGC has requested to report the security authenticationcompletion event; if detecting that the MGC has requested to report theevent, the MG sends a Notify (NTFY) command to the MGC, with thedetected event being the security authentication completion event(auth/authoc) and the parameter of the event being the encrypted result.The Request identifier (123) is identical to that in the RequestNotification (RQNT) Command sent from the MGC, and the transactionidentifier (200) is assigned.

Step 14: when receiving the NTFY command from the MG, the MGC returns acorrect response to this command, the response code being correctresponse (200), with the Transaction identifier (200) being identical tothat in the Notify (NTFY) command reported from the MG, to acknowledgethe MGC has received the Notify (NTFY) command from the MG correctly.

Step 15: when receiving the encrypted result reported from the MG, theMGC compares the result with the encrypted result calculated by itself;if the two results are identical to each other, the MGC considers the MGas legal; if the two results are not identical to each other or the MGdoesn't report the encrypted result within a predefined time, the MGCconsiders the MG as illegal.

The security data package on H248 protocol implemented over H248protocol according to the present invention comprises:

Package identifier: auth; version of the data package: 1;

Event in the data package:

1: Security authentication completion event

Event identifier: authoc (0×0001);

Event detection parameter identifier: authenticated result;

Parameter identifier: Res;

ABNF code of the parameter value: 32*64 (a hexadecimal number, 32 to 64bits);

ASN.1 (abstract symbol notation) code of the parameter value: OCTETSTRING (SIZE (16 . . . 32)); (octet of 16 to 32 bits)

Signal included in the data package:

1: Security authentication request signal

Signal identifier: authreq

Name of the signal parameter: request parameter;

Parameter identifier: parm;

ABNF code of the parameter value: 32*64 (a hexadecimal number);

ASN.1 code of the parameter value: OCTET STRING (SIZE (16 . . . 32))

The Authentication process based on above data package and thepseudo-codes used are:

Step 21: the MGC initiates an authentication request to the MG: the MGCsends a Modify command to the MG and allocates a Transaction Identifier(100) and a Request Identifier (2223), to request the MG to detect thesecurity authentication completion event (auth/authoc); at the sametime, the MGC sends a security authentication request signal(auth/authreq), and generates a 16-byte random number (0×78 0×90 0×ab0×cd 0×ef 0×56 0×78 0×90 0×00 0×22 0×00 0×22 0×00 0×22 0×00 0×32) as thesecurity authentication parameter of the security authentication requestsignal.

Step 22: when receiving the Modify command from the MGC, the MG returnsa correct response to this command, with the Transaction Identifier(10001) identical to that in the Modify command, to acknowledge the MGhas received the Modify command from the MGC correctly.

Step 23: When detecting a security authentication request signal afterreceiving the Modify command from the MGC, the MG begins to perform asecurity authentication calculation, i.e., performing an encryptioncalculation with the parameter taken out from the securityauthentication request signal and the authentication key configuredthereon (the authentication key being assumed as: 0×12 0×24 0×56 0×780×56 0×32 0×78 0×23 0×24 0×25 0×76 0×32 0×32 0×45 0×45 0×32). The resultobtained through the encryption calculation is (0×12 0×34 0×ab 0×cd 0×ef0×ab 0×ef 0×90 0×00 0×22 0×00 0×22 0×67 0×89 0×77 0×88). The MGgenerates a security authentication completion event and checks whetherthe MGC has requested to report the encryption completion event; ifdetecting the MGC has requested to report the event, the MG sends aNotify (NTFY) command to the MGC, with the detected event being thesecurity authentication completion event (auth/authoc) and the eventparameter being the encrypted result. The Request Identifier (2223) isidentical to that in the Modify Command sent from the MGC, and theTransaction Identifier (10002) is assigned.

Step 24: when receiving the Notify command from the MG, the MGC returnsa correct response to this command, with the Transaction Identifier(10002) being identical to that in the Notify (NTFY) command sent fromthe MG, to acknowledge the MGC has received the Notify (NTFY) commandfrom the MG correctly.

Step 25: when receiving the encrypted result reported from the MG, theMGC compares the result with the encrypted result calculated by itself;if the two results are identical to each other, it considers the MG aslegal; if the two results are not identical to each other or the MGdoesn't report the encrypted result within a predefined time, itconsiders the MG as illegal.

1. An authentication method for network security, comprising thefollowing steps: step 1: a Media Gateway Controller (MGC) configuring aMedia Gateway (MG) with an authentication key, and setting a securitydata package on a network protocol; step 2: the MGC, during the securityauthentication, sending security authentication request data to the MGusing the data package; the MG performing an encryption calculation onthe request data using the authentication key, and responding to MGCwith the encrypted request; step 3: the MGC determining whether the MGbeing authenticated is legal according to the authentication result. 2.The authentication method for network security according to claim 1,wherein said network protocol is Media Gateway Control Protocol (MGCP).3. The authentication method for network security according to claim 1,wherein said network protocol is H248 protocol.
 4. The authenticationmethod for network security according to claim 1, wherein said datapackage comprises a security authentication request signal and asecurity authentication completion event, said security authenticationrequest signal comprising a security authentication parameter, and saidsecurity authentication completion event comprising a securityauthentication result parameter.
 5. The authentication method fornetwork security according to claim 4, wherein said step 2 furthercomprises: step 21: the MGC sending the security authentication requestsignal in the data package to the MG; step 22: the MG, after receivingthe security authentication parameter in the security authenticationrequest signal, performing encryption calculation on said parameterusing the authentication key, and reporting the encryption calculatedresult to the MGC through the security authentication result parameterin the security authentication completion event in the data package.